Bad Rabbit Ransomware

A new strain of ransomware , dubbed Bad Rabbit has affected over 200 major organizations mainly in Russia, Ukraine, Germany, Japan, and Turkey.

It is reportedly a new Petya-like targeted ransomware attack against corporate networks, demanding 0.05 bitcoin (~ $285) as ransom from victims to unlock their systems.

One of the distribution method of Bad Rabbit is via drive-by download. Some popular websites are compromised and have JavaScript injected in their HTML body or in one of their .js file.

This script reports the following to 185.149.120[.]3, which doesn’t seem to respond at the moment.

Browser User-Agent

Referrer

Cookie from the visited site

Domain name of the visited site

Server side logic can determine if the visitor is of interest and then add content to the page. In that case, what we have seen is that a popup asking to download an update for Flash Player is shown in the middle of the page.

When clicking on the “Install” button, download of an executable file from 1dnscontrol[.]com is initiated. This executable file, install_flash_player.exe is the dropper for Win32/Filecoder.D.

The downloaded file named install_flash_player.exe needs to be manually launched by the victim. To operate correctly, it needs elevated administrative privileges which it attempts to obtain using the standard UAC prompt. If started, it will save the malicious DLL as C:\Windows\infpub.dat and launch it using rundll32.

Finally the computer is locked and show the ransom note

infpub.dat acts as a typical file encrypting ransomware: it finds the victim’s data files using an embedded extension list and encrypts them using the criminal’s public RSA-2048 key.

The executable dispci.exe appears to be derived from the code base of the legitimate utility DiskCryptor. It acts as the disk encryption module which also installs the modified bootloader and prevents the normal boot-up process of the infected machine.

Win32/Diskcoder.D has the ability to spread via SMB. As opposed to some public claims, it does notuse the EthernalBlue vulnerability like the Win32/Diskcoder.C (Not-Petya) outbreak. First, it scans internal network for open SMB shares.

Mimikatz is launched on the compromised computer to harvest credentials. A hardcoded list username and password is also present.

PAYMENTS PAGE:

HOW TO PREVENT YOURSELF?

Kaspersky suggest to disable WMI service to prevent the malware from spreading over your network.

Creating a file with the paths c:\windows\infpub.dat and removing any write permission from it.